CVE-2024-57638 – A SQL injection vulnerability in the dfe_body

Q: What is the severity of CVE-2024-57638?

CVE-2024-57638 has a CVSS score of 7.5 (HIGH). A SQL injection vulnerability in the dfe_body_copy component of OpenLink Virtuoso Open-Source allows attackers to execute crafted SQL statements, causing denial of service. This affects systems running vulnerable versions of Virtuoso that expose SQL interfaces. Database administrators and applications using Virtuoso as a backend are at risk.

📋 TL;DR

A SQL injection vulnerability in the dfe_body_copy component of OpenLink Virtuoso Open-Source allows attackers to execute crafted SQL statements, causing denial of service. This affects systems running vulnerable versions of Virtuoso that expose SQL interfaces. Database administrators and applications using Virtuoso as a backend are at risk.

💻 Affected Systems

Products:

OpenLink Virtuoso Open-Source

Versions: v7.2.11 and potentially earlier versions

Operating Systems: All platforms running Virtuoso

Default Config Vulnerable: ⚠️ Yes

Notes: Any configuration that allows SQL statement execution through the vulnerable component is affected.

📦 What is this software?

Virtuoso by Openlinksw

View all CVEs affecting Virtuoso →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database unavailability through resource exhaustion or corruption, potentially affecting all dependent applications and services.

🟠

Likely Case

Service disruption through CPU/memory exhaustion, causing intermittent downtime for database operations.

🟢

If Mitigated

Limited impact with proper input validation and query restrictions in place.

🌐 Internet-Facing: HIGH if SQL endpoints are exposed to untrusted networks without proper filtering.

🏢 Internal Only: MEDIUM as internal users or compromised applications could still trigger the vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires ability to execute SQL statements against the vulnerable component. SQL injection knowledge needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check GitHub issue for latest patched version

Vendor Advisory: https://github.com/openlink/virtuoso-opensource/issues/1190

Restart Required: No

Instructions:

1. Monitor the GitHub issue for patch release. 2. Update to the patched version when available. 3. Test in non-production environment first.

🔧 Temporary Workarounds

Input Validation and Filtering

all

Implement strict input validation and parameterized queries for all SQL statements.

Access Restriction

all

Restrict SQL execution privileges to trusted users and applications only.

🧯 If You Can't Patch

Implement network segmentation to isolate Virtuoso instances from untrusted networks
Deploy web application firewall with SQL injection detection rules

🔍 How to Verify

Check if Vulnerable:

Check Virtuoso version and compare against vulnerable versions listed in GitHub issue.

Check Version:

SELECT sys_stat('st_dbms_version');

Verify Fix Applied:

After patching, test with safe SQL queries to ensure normal functionality without crashes.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL query patterns
Database crash/restart events
High resource utilization spikes

Network Indicators:

Unusual SQL traffic patterns to database ports
Multiple failed query attempts

SIEM Query:

source="virtuoso.log" AND ("crash" OR "segfault" OR "memory exhaustion")

📊 Metadata

CVE ID: CVE-2024-57638

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-89

EPSS Score: 0.92% exploit probability (75.6th percentile)

Published: January 14, 2025

Last Updated: April 17, 2025

🔗 References

https://github.com/openlink/virtuoso-opensource/issues/1190 Exploit,Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-57638, you might also want to check these: